Serverless-application-model: Feature Request: Add PermissionsBoundary as option for SAM-created role
The CloudFormation team just released a batch of updates. One is for CloudFormation to support specifying a Permissions Boundary for the AWS::IAM::Role type.
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-iam-role.html
SAM creates an AWS::IAM::Role resource for a Serverless::Function in either in these situations:
a) no Role/Permission properties are specified (this is a basic role with limited privs)
b) when a list of Permissions are specified (these can be IAM Policies or in-line policy statements)
The point of Permissions Boundaries are to help delegate IAM role creation to developers while ensuring the roles they create cannot exceed a set of boundaries defined by the "real" IAM administrators of an account.
https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html
I highly recommend supporting a new property for Serverless::Function called PermissionsBoundary that is passed along to the AWS::IAM::Role that SAM creates in the above situations.
This is a particular good match for SAM because of the intention behind both features.
- SAM is geared at developers and helps to offload some IAM complexity from them.
- Permissions Boundaries are an IAM feature that was designed to get more developers involved in IAM maintenance/development.
This new property would be completely optional and would thus not be a breaking change. It would need no new default. If one is not specified, then the corresponding property on the generated AWS::IAM::Role should also not be specified.
cervantek
All 14 comments
This is a great suggestion. It should be a relatively simple implementation if someone wants to give it a go. I think it's just a couple of lines for the implementation, then a docs update and tests:
https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md
brettstack
on 27 Nov 2018
@brettstack When implemented, would it be alright if it could be specified in Serverless::Function or in the Globals\Function section? It would seem to me to be a common use case where all Lambdas in and app would share a permissions boundary, even if they did each have their own role.
cervantek
on 8 Jan 2019
Yes, I think adding it to the Globals section of Serverless::Function would be a great idea.
keetonian
on 11 Jan 2019
I took a swing at it. It doesn't include the Globals part yet, but at least it seems to work for individual functions. I'm not as familiar with the Globals part of the code, but if it's straight forward, I'll try to make that change as well.
jasonmk
on 25 Jan 2019
Nicely done. I'll comment over on the PR with details on Globals.
brettstack
on 25 Jan 2019
Merged into develop. This will go out in a future release. Thanks @jasonmk 馃憦
brettstack
on 1 Feb 2019
Glad I could help! I look forward to being able to use it. Cheers.
jasonmk
on 1 Feb 2019
Just realized that I forgot to add PermissionsBoundary to the list of supported globals in the docs. Do you want a new pull request for that or is it easier to just add it?
jasonmk
on 1 Feb 2019
@jasonmk Go ahead and do a new PR. Thanks!
jlhood
on 1 Feb 2019
Released!
keetonian
on 7 Mar 2019
Released!
Hi @keetonian you mentioned that this is released.
I can see the documentation updated according to - https://github.com/awslabs/serverless-application-model/blob/master/versions/2016-10-31.md#awsserverlessfunction - sam supports specifying a PermissionsBoundary.
However, when I try to use this in a template, I see an error.
$ sam validate -t template.yaml
2019-03-25 16:04:33 Found credentials in shared credentials file: ~/.aws/credentials
Template provided at 'C:\dev\git\aws-test\template.yaml' was invalid SAM Template.
Error: [InvalidResourceException('RunPostgresScheduledFunction', 'property PermissionsBoundary not defined for resource of type AWS::Serverless::Function')] ('RunPostgresScheduledFunction', 'property PermissionsBoundary not defined for resource of type AWS::Serverless::Function')
I also see a similar error if i skip template validation and simply try to build the app using sam build.
I am on windows and I think I upgraded all my utilities but here are the cli versions that I am using:
sali@ATH021528 MINGW64 /c/dev/git/aws-test
$ aws --version
aws-cli/1.16.102 Python/3.7.2 Windows/10 botocore/1.12.92
sali@ATH021528 MINGW64 /c/dev/git/aws-test
$ sam --version
SAM CLI, version 0.11.0
Should I be upgrading my sam cli version ? Or is it possible that there is a bug?
sfali16
on 26 Mar 2019
@sfali16 Upgrading to the latest version of sam CLI should address this. If it doesn't, please open an issue to the SAM CLI repo.
jlhood
on 26 Mar 2019
SAM CLI version 0.13.0 and newer contains these new features. It should work if you upgrade to this or a newer version (0.14.1 is the newest).
keetonian
on 26 Mar 2019
SAM CLI version 0.13.0 and newer contains these new features. It should work if you upgrade to this or a newer version (0.14.1 is the newest).
That did it - thanks !
sfali16
on 29 Mar 2019
Related issues
MaxVynohradov
路
3Comments
axpence
路
3Comments
patrickli
路
4Comments
polovi
路
3Comments
feinstein
路
3Comments
Most helpful comment
I took a swing at it. It doesn't include the Globals part yet, but at least it seems to work for individual functions. I'm not as familiar with the Globals part of the code, but if it's straight forward, I'll try to make that change as well.